fix: prevent .mcp.json auto-discovery during plugin development

[clintecker]

Summary

Fixes the MCP configuration auto-discovery conflict that occurs during plugin development. When developing the agent-drugs plugin, the .mcp.json file in the project root was being auto-discovered by Claude Code, creating false tool availability and conflicts with the properly installed plugin.

Problem

Root Cause: Claude Code prioritizes project-local .mcp.json files over globally installed plugins. During development:

• Tools appeared available (from local config)
• But server wasn't running (config points to production)
• Plugin installation seemed "broken"
• Confusion about which config is "real"

This is especially problematic for plugin developers who face a triple namespace collision:

1. Documentation: Need to show users the correct config format
2. Development: Need to test against localhost:3000
3. Dogfooding: May want to use their own plugin (production)

Solution

Adopted the well-established .env.example pattern:

• Renamed .mcp.json → .mcp.json.example (production config template)
• Added .mcp.local.json.example (localhost config template)
• Added npm scripts: setup:dev and setup:check
• Updated all documentation to reference example files

Benefits

• ✅ No auto-discovery pollution during development
• ✅ Clear separation between docs and active configs
• ✅ Follows established conventions (.env.example, config.example.js)
• ✅ Easy dev setup via npm run setup:dev
• ✅ No accidental commits (.mcp.local.json gitignored)
• ✅ Works with plugin installation (no conflicts)

Usage

For plugin developers:

npm run setup:dev    # Creates .mcp.local.json
npm run dev:http     # Start local server on :3000
# Claude Code now uses localhost instead of production

For plugin users:

• No changes needed
• Install via Claude Code plugins normally
• The .mcp.json.example is just documentation

Changes

• .mcp.json → .mcp.json.example (production template)
• New .mcp.local.json.example (development template)
• Updated package.json with dev setup scripts
• Updated README.md, CLAUDE.md, PLUGIN_ARCHITECTURE.md
• Updated docs/LOCAL_TESTING.md with new workflow
• Fixed reference in docs/plans/2025-10-13-custom-auth-tokens.md

Testing

• Verified .mcp.local.json is in .gitignore
• Tested npm run setup:dev creates correct file
• Confirmed .mcp.json.example is not auto-discovered
• Verified all docs reference the correct files

Additional Context

Also includes work on the detox tool (separate feature):

• commands/detox.md - New slash command
• src/tools/detox.ts - Tool implementation
• src/tools/detox.test.ts - Tests
• Updates to src/http-server.ts, src/state-manager.ts, src/tools/take-drug.ts

(The detox work was in progress when this fix was needed, so it's included in this PR. Can split if needed.)

Summary by CodeRabbit

• New Features

  • Added a detox command to remove all active drugs and return to normal behavior, with user-facing messages and auth prompts when needed.
  • Added a local MCP configuration example to simplify running a local development server.

• Documentation

  • Major docs expansion: detox usage, two-level effect diagrams, architecture, local testing, OAuth flow, development and troubleshooting guides.

• Tests

  • Added unit tests covering detox behavior and error handling.

• Chores

  • New npm scripts to create/check local development config.

[coderabbitai]

Walkthrough

Adds a new "detox" tool with tests and state API to clear active drugs, registers the tool in the MCP HTTP server (with OAuth metadata refactor), introduces local MCP config example and setup scripts, and updates extensive documentation and developer guides.

Changes

Cohort / File(s)	Summary
Configuration Templates /.mcp.local.json.example	Adds a local MCP example config containing an agent-drugs HTTP server entry pointing to http://localhost:3000/mcp with transport: http.
HTTP Server Integration src/http-server.ts	Imports and exposes detoxTool in MCP tools metadata; handles detox tool calls; refactors OAuth metadata endpoint to fetch upstream metadata, rewrite for local dev, and add error handling/logging.
State Management src/state-manager.ts	Adds public clearAllDrugs(): Promise<void> which writes an empty drugs array to the user's active_drugs Firestore document.
Detox Tool & Tests src/tools/detox.ts, src/tools/detox.test.ts	New detoxTool(state) that reads active drugs, clears them, logs timing, and returns ToolResult; adds unit tests for success, no-op, and error cases.
Tools / Minor Refactor src/tools/take-drug.ts	Adjusts logger import path from ../logger.js to ../logger (no behavior change).
Scripts scripts/setup-dev.js, scripts/setup-check.js	Adds setup-dev to copy .mcp.local.json.example → .mcp.local.json and setup-check to verify .mcp.local.json exists.
Package Scripts package.json	Adds npm scripts setup:dev and setup:check.
Documentation & Guides CLAUDE.md, PLUGIN_ARCHITECTURE.md, README.md, commands/detox.md, docs/LOCAL_TESTING.md, docs/plans/2025-10-13-custom-auth-tokens.md, DEVELOPMENT.md	Large documentation additions and reorganizations: Detox command docs, two-level effect diagrams, MCP config guidance (example templates and local workflow), local testing/development steps and diagrams, OAuth and persistence flows, troubleshooting, and security/dev guidance.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant MCP
    participant HTTP_Server as "HTTP Server"
    participant DetoxTool as "detoxTool"
    participant StateMgr as "StateManager"
    participant Logger

    User->>MCP: invoke "detox" tool
    MCP->>HTTP_Server: tool call (detox)
    HTTP_Server->>DetoxTool: detoxTool(stateManager)
    activate DetoxTool

    DetoxTool->>Logger: log start
    DetoxTool->>StateMgr: getActiveDrugs()
    alt drugs found
        StateMgr-->>DetoxTool: list of drugs
        DetoxTool->>StateMgr: clearAllDrugs()
        StateMgr-->>DetoxTool: confirmation
        DetoxTool->>Logger: log success + elapsed
        DetoxTool-->>HTTP_Server: ToolResult (success + removed list)
    else no drugs
        StateMgr-->>DetoxTool: empty list
        DetoxTool->>Logger: log no-op
        DetoxTool-->>HTTP_Server: ToolResult (info: nothing to clear)
    else error
        StateMgr-->>DetoxTool: throws/error
        DetoxTool->>Logger: log error + elapsed
        DetoxTool-->>HTTP_Server: ToolResult (error + message)
    end

    deactivate DetoxTool
    HTTP_Server-->>MCP: Return ToolResult
    MCP-->>User: Display result

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 I hopped in with a tiny fix,
Cleared the weeds and cleared the mix,
Templates copied, tests all run,
Detox called — the job is done!
✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "fix: prevent .mcp.json auto-discovery during plugin development" accurately and clearly describes the primary issue being addressed in this PR. The changeset implements the exact solution referenced in the title: renaming .mcp.json to .mcp.json.example, introducing .mcp.local.json.example for local development, adding setup scripts, and updating documentation to explain the new template-based approach. The title is concise and directly communicates the core fix from the developer's perspective. While the PR also includes work on a detox tool (which the PR objectives note as "in-progress" and "can be split out"), the title appropriately focuses on the main issue without needing to cover every ancillary change.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/mcp-config-auto-discovery

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[clintecker]

Documentation Updates

Added comprehensive visual documentation with mermaid diagrams:

New Content

• DEVELOPMENT.md - Complete development guide with setup, workflows, testing, troubleshooting
  • 4 mermaid diagrams (component interaction, data flow, testing flow, config flow)
  • Step-by-step guides for common tasks
  • Troubleshooting section
  • Contributing guidelines

Enhanced Existing Docs

• CLAUDE.md - Added 3 diagrams (immediate/persistent effects, OAuth flow, system overview)
• README.md - Added 3 diagrams (how it works, architecture, dev config)
• PLUGIN_ARCHITECTURE.md - Added 2 diagrams (two-level effects, components)
• docs/LOCAL_TESTING.md - Replaced ASCII with 3 mermaid diagrams

Visual Guides Now Cover:

✅ Immediate vs persistent drug effects
✅ OAuth authentication flows
✅ MCP configuration patterns
✅ Local development setup
✅ Component interactions
✅ Development workflows
✅ Testing procedures

All diagrams use consistent minimalist styling with color-coding for easy comprehension by run-of-the-mill agentic developers.

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

src/http-server.ts (1)

349-361: Return the local metadata URL in the auth hint.
Point clients at the server’s own metadata endpoint to keep flows local as documented.

-            oauthMetadataUrl: 'https://us-central1-agent-drugs.cloudfunctions.net/oauthMetadata'
+            oauthMetadataUrl: `${req.protocol}://${req.get('host')}/.well-known/oauth-authorization-server`

docs/LOCAL_TESTING.md (1)

120-132: Add "type": "http" to the manual token example for consistency and correctness.

The first two MCP configuration examples in the file correctly include "type": "http", but the manual token example (lines 120-132) omits it. Since all three examples use the same HTTP endpoint (http://localhost:3000/mcp), the transport type must be explicitly specified for HTTP-based connections per MCP specification.

{
  "mcpServers": {
    "agent-drugs-local": {
+      "type": "http",
       "url": "http://localhost:3000/mcp",
       "headers": {
         "Authorization": "Bearer agdrug_xxx..."
       }
     }
  }
}

🧹 Nitpick comments (8)

docs/LOCAL_TESTING.md (2)

72-80: Suggest adding a quick verification step after setup.
After npm run setup:dev (or manual copy), advise running setup:check to fail fast if the file wasn’t created.

Apply this small addition:

 # Copy the example to create your local config
 npm run setup:dev

 # Or manually:
 cp .mcp.local.json.example .mcp.local.json
+ 
+# Verify it exists:
+npm run setup:check

---

84-85: Fix MD lint: avoid bold as a heading.
Use a heading or blockquote to satisfy MD036.

Example:

-**Note:** The `.mcp.local.json` file is gitignored and won't be committed...
+#### Note
+The `.mcp.local.json` file is gitignored and won't be committed...

src/tools/detox.ts (3)

14-16: Skip the write when there’s nothing to clear.
Avoid an unnecessary Firestore write in the no‑op case by returning before calling clearAllDrugs.

-  // Clear all active drugs
-  await state.clearAllDrugs();
-
   logger.info('Tool: detox succeeded', {
     count: drugs.length,
     drugs: drugNames,
     elapsed: Date.now() - startTime
   });

   if (drugs.length === 0) {
     return {
       content: [{
         type: 'text',
         text: '✨ No active drugs to clear. You\'re already clean!'
       }],
     };
   }

+  // Clear only when there were active drugs
+  await state.clearAllDrugs();

Also applies to: 23-31

---

17-21: Minimize potentially sensitive data in info logs.
Logging full drug names can leak user‑specific behavior. Log counts at INFO and names at DEBUG if needed.

-logger.info('Tool: detox succeeded', { count: drugs.length, drugs: drugNames, elapsed: ... });
+logger.info('Tool: detox succeeded', { count: drugs.length, elapsed: Date.now() - startTime });
+logger.debug?.('Tool: detox details', { drugs: drugNames });

---

49-55: Don’t echo raw error details to the user.
Return a generic error and keep specifics in logs.

-        text: `Error clearing drugs: ${error instanceof Error ? error.message : 'Unknown error'}`,
+        text: 'Failed to clear drugs. Please try again.',

src/tools/detox.test.ts (1)

55-66: Strengthen the error‑path test.
Verify we don’t attempt a clear when discovery fails.

   it('should handle errors gracefully', async () => {
     const mockState = {
       getActiveDrugs: jest.fn().mockRejectedValue(new Error('Firestore error')),
       clearAllDrugs: jest.fn(),
     } as any;

     const result = await detoxTool(mockState);

     expect(result.isError).toBe(true);
     expect(result.content[0].text).toContain('Error');
     expect(result.content[0].text).toContain('Firestore error');
+    expect(mockState.clearAllDrugs).not.toHaveBeenCalled();
   });

If you adopt the no‑op optimization in detoxTool, also update the “no drugs” test to expect not.toHaveBeenCalled() for clearAllDrugs.

PLUGIN_ARCHITECTURE.md (1)

73-87: Great call moving to .example configs to prevent auto‑discovery.
Consider linking the setup scripts here for discoverability (npm run setup:dev and setup:check).

src/http-server.ts (1)

319-335: Align protocolVersion with logged MCP version.
Docs/logs say MCP 2025‑03‑26; initialize returns 2024‑11‑05. Align to avoid client capability mismatches.

-          protocolVersion: '2024-11-05',
+          protocolVersion: '2025-03-26',

Confirm this matches the client you’re targeting.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4bbe870 and 41cf1e2.

📒 Files selected for processing (13)

• .mcp.local.json.example (1 hunks)
• CLAUDE.md (4 hunks)
• PLUGIN_ARCHITECTURE.md (2 hunks)
• README.md (2 hunks)
• commands/detox.md (1 hunks)
• docs/LOCAL_TESTING.md (1 hunks)
• docs/plans/2025-10-13-custom-auth-tokens.md (1 hunks)
• package.json (1 hunks)
• src/http-server.ts (4 hunks)
• src/state-manager.ts (1 hunks)
• src/tools/detox.test.ts (1 hunks)
• src/tools/detox.ts (1 hunks)
• src/tools/take-drug.ts (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (3)

src/http-server.ts (3)

functions/lib/oauthMetadata.js (2)

• req (51-51)
• metadata (42-42)

src/logger.ts (3)

• logger (110-110)
• response (86-94)
• error (66-78)

src/tools/detox.ts (1)

• detoxTool (5-57)

src/tools/detox.ts (3)

src/state-manager.ts (1)

• StateManager (19-129)

src/tools/list-drugs.ts (1)

• ToolResult (4-7)

src/logger.ts (2)

• logger (110-110)
• error (66-78)

src/tools/detox.test.ts (1)

src/tools/detox.ts (1)

• detoxTool (5-57)

🪛 markdownlint-cli2 (0.18.1)

docs/LOCAL_TESTING.md

79-79: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

README.md

113-113: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

🔇 Additional comments (11)

src/tools/take-drug.ts (1)

4-4: LGTM!

The import path change from ../logger.js to ../logger is consistent with TypeScript conventions and has no functional impact.

.mcp.local.json.example (1)

1-9: LGTM!

The local MCP configuration example is well-structured and serves its purpose for local plugin development testing against localhost:3000.

README.md (1)

111-141: LGTM! Clear and comprehensive local development guidance.

The new plugin development section effectively explains:

• Purpose of the example config files
• Local development workflow with setup:dev
• Rationale for avoiding auto-discovery conflicts

The documentation aligns well with the PR's main objective of preventing .mcp.json auto-discovery issues.

Note: The markdownlint warning about Line 113 using emphasis instead of heading is a false positive—the bold text **For Plugin Development:** is intentionally used for emphasis within the section rather than as a heading.

docs/plans/2025-10-13-custom-auth-tokens.md (1)

1151-1165: LGTM!

The documentation updates correctly reflect the new local MCP configuration pattern using .mcp.local.json as an alternative to global configuration.

CLAUDE.md (4)

11-11: LGTM!

The detox tool/command additions to the quick reference are clear and consistent with the rest of the documentation.

Also applies to: 17-17

---

100-108: LGTM!

The detox usage documentation is clear and provides helpful examples of alternative phrasings users might naturally use.

---

157-183: Excellent documentation of the MCP configuration pattern.

This section clearly explains:

• The purpose of each example file
• The development workflow
• The rationale for avoiding auto-discovery conflicts

The explanation directly addresses the core problem described in the PR objectives.

---

206-206: LGTM!

Updated reference to .mcp.json.example is consistent with the new configuration pattern.

src/state-manager.ts (1)

113-128: LGTM! Clean implementation of the clearAllDrugs method.

The implementation correctly:

• Clears the drugs array
• Maintains userId and agentId metadata
• Uses server timestamp for consistency
• Uses set() which will create the document if it doesn't exist (appropriate for detox)

commands/detox.md (1)

1-14: LGTM! Clear command documentation.

The documentation effectively describes:

• The command's purpose and behavior
• Expected confirmation output
• OAuth authentication handling and fallback guidance

The instructions align well with the detox tool implementation and user experience expectations.

docs/LOCAL_TESTING.md (1)

82-83: LGTM — clear explanation of auto‑discovery behavior.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

PLUGIN_ARCHITECTURE.md (1)

248-266: Add language specifications to code blocks.

Code blocks for TypeScript, JavaScript, and JSON examples lack language identifiers, which violates markdown standards and impacts syntax highlighting.

Apply language identifiers to these code blocks:

-​```
+​```typescript
 const boxWidth = 62;

-​```
+​```javascript
 // Load agent's active drugs from Firestore

-​```
+​```javascript
 {
   userId: "user_123",

-​```
+​```json
 {
   "name": "2389 Research Plugins",

Also applies to: 273-281, 297-309, 391-405

🧹 Nitpick comments (1)

CLAUDE.md (1)

289-295: Consider referencing npm setup scripts.

The "Local Testing" section mentions npm run dev:http but could explicitly reference the npm run setup:dev and npm run setup:check scripts mentioned in the PR objectives for improved developer guidance on initial setup.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 41cf1e2 and 95b7edb.

📒 Files selected for processing (5)

• CLAUDE.md (6 hunks)
• DEVELOPMENT.md (1 hunks)
• PLUGIN_ARCHITECTURE.md (3 hunks)
• README.md (3 hunks)
• docs/LOCAL_TESTING.md (2 hunks)

✅ Files skipped from review due to trivial changes (1)

• DEVELOPMENT.md

🚧 Files skipped from review as they are similar to previous changes (2)

• README.md
• docs/LOCAL_TESTING.md

🧰 Additional context used

🪛 markdownlint-cli2 (0.18.1)

CLAUDE.md

79-79: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

215-215: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

PLUGIN_ARCHITECTURE.md

79-79: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🔇 Additional comments (3)

PLUGIN_ARCHITECTURE.md (1)

128-147: Clear rationale for example file pattern.

The MCP Server Configuration section effectively explains the auto-discovery conflict and the solution using .example files. The documentation clearly contrasts production vs. development templates and lists the available tools including the new detox capability.

CLAUDE.md (2)

139-147: Well-documented detox feature.

The "Remove All Drugs (Detox)" section clearly explains the feature's purpose and provides consistent usage examples. The note that detox removes drugs from both current and future sessions aligns well with the two-level effect system architecture.

---

262-287: Excellent explanation of MCP configuration pattern.

The MCP Configuration Files section clearly documents the problem, solution, and developer workflow. The rationale for using .example files is well-explained, and the four-step process provides a clear path for local development. Cross-reference to .env.example pattern strengthens credibility.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

scripts/setup-check.js (1)

1-15: Simple and effective setup validation script.

The script correctly checks for the existence of .mcp.local.json and provides clear feedback. Exit codes are appropriate for use in npm scripts or CI workflows.

Optional enhancement: Consider validating that the file contains valid JSON, not just that it exists:

 try {
   fs.statSync(target);
+  // Optional: validate JSON structure
+  const content = fs.readFileSync(target, 'utf8');
+  JSON.parse(content);
   console.log('✓ Dev config exists');
   process.exit(0);
 } catch {

However, the current implementation is perfectly adequate for a simple existence check.

scripts/setup-dev.js (1)

1-16: Clean setup script with appropriate error handling.

The script correctly copies the example configuration to the local development config with clear success/failure messaging.

Optional enhancement: Consider checking if the target already exists to avoid accidentally overwriting local changes:

 try {
+  if (fs.existsSync(target)) {
+    console.log('✓ .mcp.local.json already exists (skipping)');
+    process.exit(0);
+  }
   fs.copyFileSync(source, target);
   console.log('✓ Created .mcp.local.json for local development');
   process.exit(0);

However, since this is a gitignored file and the script is explicitly named setup-dev, overwriting is likely acceptable behavior.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 95b7edb and 78ad7c6.

📒 Files selected for processing (10)

• CLAUDE.md (7 hunks)
• PLUGIN_ARCHITECTURE.md (4 hunks)
• docs/LOCAL_TESTING.md (3 hunks)
• package.json (1 hunks)
• scripts/setup-check.js (1 hunks)
• scripts/setup-dev.js (1 hunks)
• src/http-server.ts (5 hunks)
• src/state-manager.ts (1 hunks)
• src/tools/detox.test.ts (1 hunks)
• src/tools/detox.ts (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• src/tools/detox.test.ts
• package.json
• src/state-manager.ts

🧰 Additional context used

🧬 Code graph analysis (3)

src/tools/detox.ts (3)

src/state-manager.ts (1)

• StateManager (19-137)

src/tools/list-drugs.ts (1)

• ToolResult (4-7)

src/logger.ts (2)

• logger (110-110)
• error (66-78)

src/http-server.ts (3)

functions/lib/oauthMetadata.js (2)

• req (51-51)
• metadata (42-42)

src/logger.ts (3)

• logger (110-110)
• response (86-94)
• error (66-78)

src/tools/detox.ts (1)

• detoxTool (5-64)

scripts/setup-dev.js (1)

scripts/setup-check.js (3)

• fs (3-3)
• path (4-4)
• target (6-6)

🔇 Additional comments (10)

src/tools/detox.ts (1)

5-63: LGTM! Clean implementation with good privacy practices.

The detox tool implementation is well-structured:

• Early return for no-op case avoids unnecessary Firestore writes
• Separates count logging (INFO) from drug names (DEBUG) to minimize sensitive data exposure
• Error handling properly logs details while returning generic user messages
• Follows the established pattern from other tools

CLAUDE.md (3)

11-11: Documentation properly reflects the new detox tool.

The detox command is correctly added to both the tools list and available commands, maintaining consistency with the implementation.

Also applies to: 17-17

---

25-95: Excellent visual explanation of the two-level effect system.

The mermaid diagrams and accompanying explanation clearly distinguish between immediate (current session) and persistent (future sessions) effects, making the architecture much easier to understand.

---

262-287: Well-justified rationale for example file pattern.

The explanation of why .mcp.json.example and .mcp.local.json.example are used instead of direct config files is clear and addresses the auto-discovery problem mentioned in the PR objectives.

docs/LOCAL_TESTING.md (2)

72-84: Setup instructions properly reference the new workflow.

The updated instructions correctly point users to npm run setup:dev and clarify that .mcp.local.json is gitignored, aligning with the new example file pattern.

---

158-235: Visual diagrams significantly improve local testing guidance.

The three mermaid diagrams (Setup Overview, OAuth Flow, Development Testing Flow) provide clear, color-coded visual representations that will help developers understand the local testing architecture.

src/http-server.ts (2)

32-78: OAuth metadata endpoint correctly implements local rewriting and upstream status handling.

The refactored endpoint properly:

• Fetches metadata from upstream Cloud Functions
• Honors upstream HTTP status (returns non-OK status if upstream fails)
• Rewrites endpoints to local URLs for dev testing
• Includes comprehensive logging

This addresses the concerns from the past review comment about returning local endpoints and honoring upstream status.

---

11-11: Detox tool properly integrated into MCP server.

The detox tool is correctly:

• Imported from the tools module
• Added to the tools list with appropriate description
• Wired into the tool invocation switch

Integration follows the established pattern used by other tools.

Also applies to: 441-448, 480-482

PLUGIN_ARCHITECTURE.md (2)

23-89: Architecture diagrams provide excellent visual documentation.

The mermaid diagrams clearly illustrate both the two-level effect system and the plugin component structure, making the architecture much more accessible to developers.

---

128-147: MCP configuration documentation properly explains the example file pattern.

The expanded section clearly documents both production and local development templates, explains their purposes, and provides strong rationale for using example files to prevent auto-discovery conflicts during development.